If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Anti-Forensics via DD (Blazingly Faster than the MAN page)

Disclaimer: Currently deployed to Afghanistan and therefore incapable of downloading the newest Backtrack

Rig:Toshiba Netbook 32-bit
3 Partition (Logical) 500GB HD
-sda1 --> BT4 r2 (ext2)
-sda2 --> Ubuntu (ext3) (Natty) Original release (8..... I believe) (Can't update, whatever...)
-sda3 --> Windows 7 (NTFS) (don't remember my service pack, not really important for this context)
Over the past 2 weeks I have been playing with different implementations on the usage of DD. I began this when I came across an article somewhere on the net regarding shred/sdelete and its ineffectiveness at wiping data; sadly I don't remember the link or I would post it. However, I decided to do a file backup on my laptop, and came across the fact that I saved the webpage. It is as follows.
This illustrates the problem with "srm". To follow you'll need "sleuthkit" and "secure-delete".
Create a file called data. "ls -Fhli" shows the inode numbers on the left.

To clear the block you need to run 'sfill' or use 'dd' with if=/dev/zero or if=/dev/urandom to fill up the filesystem.
I then tried my own method using dd as root; and it worked.

The above experience really got me into thinking how quickly DD could overwrite freespace on a device, and if it was "cross-platform" enough for me in the sense of different file sytem architectures (ext2, ext3, ext4, NTFS, etc....). So, I did what any good true hacker would do and I started experimenting on my own, not just taking the articles on the net at face value. About 3 nights ago I happened to be booted into Ubuntu when I decided to try an implementation of DD using a method that translated the /dev/zero output to all 1s

This made me a file 512 bytes in size (512 is the default byte-size unless specified otherwise with bs=) that was filled with 1s for characters. A subsequent: "hexdump -C < foo" confirm the output of 1s. At this point I started trying various implementations of bs & count combinations to come up wih the quickest method for filling a certain device. I made the following observations.
All these were done on different partitions than the operating system in which i tested it. ie.... I filled /dev/sda2 while operating from /dev/sda1, and /dev/sda1 while operating /dev/sda2, /dev/sda3 was windows so i just choose the ubuntu to wipe from.

To see the current speed and progress of a dd operation you simple need to: "ps aux | grep dd", then note the process ID, then issue "kill -USR1 <pid>. This will make a progress dump on the screen doing the DD. The average speed for writing to ext2 & ext3 was found to be around: 22MB/second. The average speed for writing to my NTFS partition averaged out around 5MB a second, it started strong around 20MB a second, but averaged out to the 5 after roughly 1GB of writing.

It was when I happened to have missed a keystroke that the thought for the whole article came up! I was in ubuntu (/dev/sda2) and i had mounted (/dev/sda1) to my home directory ie (mount /dev/sda1 ~/mt)

I then changed to the mt directory (/dev/sda1) and started typing, but I was careless and I typed: "dd if=dev/zero | tr '\0' '\49' > foo". I then issued my kill -USR1 command to see how the progress was coming along and it was at a whopping 48MB/sec! Couldn't believe it...., So, I killed the original process and tried to figure out what had happened. In looking at my syntax I noticed that I did not include a "/" in front of the dev for the if= option. I was now using the (/dev/sda1) partitions /dev/zero file to write to foo.

So, here are some questions I have regarding my experience I hope the community can chime in on:

1) I wonder if anyone else has used dev/zero vs /dev/zero before.

2) Why is if=dev/zero double the speed of if=/dev/zero (Something bout it not being the active O/S?)

3) Help me to improve the following syntax please; the goal of which being able to background DD command that uses pipes and issue kill -USR1 to a variable versus parsing the running processes.

- Example 1:

Code:

dd if=/dev/zero of=foo & pid=$!

the user is then able to type

Code:

kill -USR1 $pid

and see the results

- Example 2:

Code:

dd if=/dev/zero of=foo | tr '\0' '\123' > foo & $pid=$!

The problem here is that it issues the pid to the tr command and not dd, I've tried various implementations placing the ampersand right after dd and such, but it all fails......And yes, I am aware that I could simple issue a test expr to make the value of $pid=$pid-1 so to speak, but I would like to learn to proper syntax so that I can understand why it doesnt work. The goal is to background DD so that I dont have to open another screen, while at the same time piping DDs output to a customized command so that I can make it something other than a "null" filled file.

V/r,
Snafu
Pffbt..

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass..

Last edited by snafu777; 10-08-2011 at 06:36 PM.
Reason: I found a saved copy of the webpage (Lucky!)